Presentation is loading. Please wait.

Presentation is loading. Please wait.

Advanced Issues in Business Associate Contracting

Published byJemima Marsh Modified over 5 years ago

Similar presentations

Presentation on theme: "Advanced Issues in Business Associate Contracting"— Presentation transcript:

1 Advanced Issues in Business Associate Contracting
Alice J. Becker, JD Senior Associate General Counsel PeaceHealth Bellevue, WA Rebecca L. Williams, RN, JD Partner Davis Wright Tremaine LLP Seattle, WA Davis Wright Tremaine LLP

2 Two Sides to Every Contract
Covered entity Has obligation to enter into contract Often want added assurances Business associate If business associate wants to work with health care or insurance industries, must contract May be a covered entity Battle of the Forms

3 Comparison of HIPAA Contracts
Chain of Trust Agreement Now Eliminated in Final Security Rule Trading Partner Agreement Transaction & Code Set Rule Business Associate Contract Privacy and Security Rules Data Use Agreement Privacy Rule (for use with limited data sets) Contracts may be combined as appropriate, such as Clearinghouses may require Trading Partner –BAC Combo BA who creates limited data sets

4 A Short Overview — Who is a Business Associate?
A person who, on behalf of a covered entity or OHCA — Performs or assists with a function or activity involving Individually identifiable information, or Otherwise covered by HIPAA Performs certain identified services Auditors, Actuaries Billing Firms Lawyers Clearinghouses TPAs Covered Entity Management Companies Consultants, Vendors Accreditation Organizations

5 Business Associate Contracts — Required Terms Under Privacy Rule
Use and disclose information only as authorized in the contract No further uses and disclosures Not to exceed what the covered entity may do Implement appropriate safeguards Report unauthorized disclosures to covered entity Facilitate covered entity’s access, amendment and accounting of disclosures obligations Allow HHS access to determine CE’s compliance Return/destroy protected health information upon termination of arrangement, if feasible If not feasible, extend BAC protections Ensure agents and subcontractors comply Authorize termination by covered entity

6 Business Associate Contracts —Required Terms Under Security Rule
Implement administrative, physical and technical safeguards that reasonably and appropriately protect the Confidentiality, Integrity and Availability of electronic protected health information Ensure any agent agrees to same restrictions Report any security incident Authorize termination if the covered entity determines business associate has breached When to implement? Now? 2005?

7 Limited Data Set — Not Quite De-Identified
LDS = PHI that excludes direct identifiers except: Full dates Geographic detail of city, state and 5-digit zip code Not de-identified Special rules apply

8 Data Use Agreements A CE may use or disclose a limited data set for research, public health or health care operations if recipient signs data use agreement Required Elements: Establish permitted uses and disclosures by recipient Establish who is permitted to use or receive limited data set Require recipient to: Not further use or disclose information Use appropriate safeguards Report impermissible use or disclosure Ensure agents comply Not identify the information or contact the individuals Beware of state law twists

9 Transition Provisions
Covered entities may continue existing contracts for up to one year beyond April 14, 2003 Existing contract prior to effective date of final amendment Contract not renewed or amended between October 15, 2002 and April 14, 2004 Covered entity still required to comply with Privacy Rule

10 PeaceHealth — An Organizational Challenge
3 states (Oregon, Washington and Alaska) 6 hospitals Outpatient clinics, nursing home, EAPs, home health, hospice, retail pharmacies, laboratories Self-insured health plan

11 PeaceHealth Identification Process
Security and Privacy Oversight Committee (“SPOC”) Regional contract coordinators Education and training Website information Agreements normally subject to Legal Department review Ignore “extension”

12 Contract Process — PeaceHealth Forms
Template Business Associate documents Existing, new, and no written agreement Incorporate security requirements — no separate agreement Incorporate state law requirements (patient rights) Other template agreements with business associate provisions embedded (e.g., medical director agreements) New agreements — add templated language (e.g., transcription agreements) Negotiations — PeaceHealth does not insist on non-required provisions

13 Contract Process — Third Party Forms
Examples — “large vendors” (e.g., Siemens, Premier, IDX, Xerox) to accreditation entities (e.g., CAP) Educate PeaceHealth to send to Legal Department Avoid battle of the forms: Agree to form if tracks the rule Don’t agree to non-required provisions, e.g., OCR language Check for state law compliance Allow each region to sign own form, i.e., JCAHO

14 PeaceHealth Approach as Business Associate
All third party documents must come to Legal Department PeaceHealth templated agreements Include minimum requirements

15 Issues in Negotiations
Covered entity obligations listed in OCR language Notice to BA No nonpermissible requests Obligation to notify BA of changes to NPP or PHI Requirement to mitigate on business associate CE has duty to mitigate under HIPAA Would want assistance from BA Not required

16 Issues in Negotiations
Indemnification Insurance Right to review contracts between business associates and their subcontractors/agents Right to inspect/investigate/audit Ownership of information Change in law Agree to negotiate amendments Unilateral amendments No third-party beneficiaries Beneficial to both parties

17 Issues in Negotiations
Termination provisions Right to immediately terminate Cure periods Authorized to terminate Absence of termination provisions Reference back to underlying contract Unilateral approach

18 Issues in Negotiations
Whistleblower provision 45 CFR Section (j)(1)(i) De-identification of PHI Don’t meet state law timeframes/obligations Challenges to relationship Treatment only? OHCA?

19 Issues in Negotiations
Data Use Agreement Detailed v. simple Correct purposes? Public Health Health Care Operations Research Underlying agreement Review scope of use Is it a limited data set? Check State Law

20 Miscellaneous Issues Medical staff — “PeaceHealth OHCA” Board members
Removes need for business associate contract Board members Institutionally related foundations Registries Services to PeaceHealth/BAC Authorized by law Accounting of disclosures Equipment maintenance Medical devices FDA reporting May be providers

21 Miscellaneous Issues Volunteers Expert witnesses
Lean and mean contract Do experts need a BAC or Second Tier BAC/subcontractor agreement? EAP agreements Plan sponsor requirement or No disclosure of PHI What about non-applicable provisions? Shredders

22 FAQs Between providers for treatment Third party payors
“Conduits” (couriers, mail services and electronic equivalents) Janitorial services Organ and tissue procurement contracts

23 Questions

Download ppt "Advanced Issues in Business Associate Contracting"

Similar presentations

Davis Wright Tremaine LLP HIT Legal Issues: HIPAA Implications to a Regional Health Information Organization Becky Williams, R.N., J.D. Partner, Co-Chair,

Davis Wright Tremaine LLP HIT Legal Issues: HIPAA Implications to a Regional Health Information Organization Becky Williams, R.N., J.D. Partner, Co-Chair,
H OGAN & H ARTSON, L.L.P.

H OGAN & H ARTSON, L.L.P.
The HIPAA Privacy Rule And Its Impact On Agents And Employers National Association of Health Underwriters Capitol Conference March 23, 2003 Joseph T. Holahan,

The HIPAA Privacy Rule And Its Impact On Agents And Employers National Association of Health Underwriters Capitol Conference March 23, 2003 Joseph T. Holahan,
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
Steps to Compliance: Managing Business Associates PRESENTED BY.

Steps to Compliance: Managing Business Associates PRESENTED BY.
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
1 HIPAA and Research and YOU. 2 INTRODUCTION Rule #1:Don’t Panic Rule #2:Bottom Line for Researchers: HIPAA is Manageable thru Education/Awareness and.

1 HIPAA and Research and YOU. 2 INTRODUCTION Rule #1:Don’t Panic Rule #2:Bottom Line for Researchers: HIPAA is Manageable thru Education/Awareness and.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Presented by the Office of the General Counsel An Overview of HIPAA.

Presented by the Office of the General Counsel An Overview of HIPAA.
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.

TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
HIPAA Health Insurance Portability and Accountability Act.

HIPAA Health Insurance Portability and Accountability Act.
 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”

 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Business Associate Contracts: Time Is Running Out... Rebecca L. Williams, RN, JD Partner Davis Wright Tremaine LLP Seattle, WA 206-628-7769.

Business Associate Contracts: Time Is Running Out... Rebecca L. Williams, RN, JD Partner Davis Wright Tremaine LLP Seattle, WA
Your HIPAA rules Ben Burton, JD, MBA, RHIA, CHP, CHC Notice of Privacy Practices.

Your HIPAA rules Ben Burton, JD, MBA, RHIA, CHP, CHC Notice of Privacy Practices.

Similar presentations

Ads by Google